Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08.Users should plan to upgrade to ESX 3.0.3 and preferably tothe newest release available.

Extended support for ESX 2.5.5 ends on 2010-06-15. Users should planto upgrade to ESX 3.0.3 and preferably to the newest releaseavailable.

3. Problem Description

a. VMware Descheduled Time Accounting driver vulnerability may cause a denial of service in Windows based virtual machines.

The VMware Descheduled Time Accounting Service is an optional,experimental service that provides improved guest operating systemaccounting.This patch fixes a denial of service vulnerability that could betriggered in a virtual machine by an unprivileged, locallylogged-on user in the virtual machine.Virtual machines are affected under the following conditions:- The virtual machine is running a Windows operating system.- The VMware Descheduled Time Accounting driver is installedin the virtual machine. Note that this is an optional (non-default) part of the VMware Tools installation.- The VMware Descheduled Time Accounting Service is not runningin the virtual machineThe VMware Descheduled Time Accounting Service is no longer providedin newer versions of VMware Tools, starting with the versionsreleased in Fusion 2.0.2 and ESX 4.0.However, virtual machines migrated from vulnerable releases willstill be vulnerable if the three conditions listed above are met,until their tools are upgraded.Steps needed to remediate this vulnerability:Guest systems on VMware Workstation, Player, ACE, Server, Fusion- Install the new version of Workstation, Player, ACE, Server,Fusion (see below for version information)- Upgrade tools in the virtual machine (virtual machine userswill be prompted to upgrade).Guest systems on ESX 3.5, ESXi 3.5, ESX 3.0.2, ESX 3.0.3- Install the relevant patches (see below for patch identifiers)- Manually upgrade tools in the virtual machine (virtual machineusers will not be prompted to upgrade). Note the VI Client willnot show the VMware tools is out of date in the summary tab.Please see http://tinyurl.com/27mpjo page 80 for details.Guests systems on ESX 4.0 and ESXi 4.0 that have been migrated fromESX 3.5, ESXi 3.5, and ESX 3.0.x- Install/upgrade the new tools in the virtual machine (virtualmachine users will be prompted to upgrade).If the Descheduled Time Accounting driver was installed, the toolsupgrade will result in an updated driver for Workstation, Player,ACE, Server, ESX 3.0.2, ESX 3.0.3, ESX 3.5, ESXi 3.5. For Fusion,ESX 4.0, and ESXi 4.0 the tools upgrade will result in the removalof the driver.VMware would like to thank Nikita Tarakanov for reporting thisissue to us.The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2009-1805 to this issue.The following table lists what action remediates the vulnerability(column 4) if a solution is available. See above for remediationdetails.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware Product
VirtualCenter

Product Version
any

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.5.x

Running on
any

Replace with/ Apply Patch
6.5.2 build 156735 or later

VMware Product
Workstation

Product Version
6.0.x

Running on
any

Replace with/ Apply Patch
upgrade to at least 6.5.2

VMware Product
Player

Product Version
2.5.x

Running on
any

Replace with/ Apply Patch
2.5.2 build 156735 or later

VMware Product
Player

Product Version
2.0.x

Running on
any

Replace with/ Apply Patch
upgrade to at least 2.5.2

VMware Product
ACE

Product Version
2.5.x

Running on
Windows

Replace with/ Apply Patch
2.5.2 build156735 or later

VMware Product
ACE

Product Version
2.0.x

Running on
Windows

Replace with/ Apply Patch
upgrade to at least 2.5.2

VMware Product
Server

Product Version
2.x

Running on
any

Replace with/ Apply Patch
2.0.1 build156745 or later

VMware Product
Server

Product Version
1.x

Running on
any

Replace with/ Apply Patch
1.0.9 build 156507 or later

VMware Product
Fusion

Product Version
2.x

Running on
Mac OS/X

Replace with/ Apply Patch
2.0.2 build 147997 or later

VMware Product
ESXi

Product Version
4.0

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
3.5

Running on
ESXi

Replace with/ Apply Patch
ESXe350-200904402-T-BG

VMware Product
ESX

Product Version
4.0

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.5

Running on
ESX

Replace with/ Apply Patch
ESX350-200904401-BG

VMware Product
ESX

Product Version
3.0.3

Running on
ESX

Replace with/ Apply Patch
ESX303-200905402-SG

VMware Product
ESX

Product Version
3.0.2

Running on
ESX

Replace with/ Apply Patch
ESX-1008420

VMware Product
ESX

Product Version
2.5.5

Running on
ESX

Replace with/ Apply Patch
not affected

b. Updated libpng package for the ESX 2.5.5 Service Console

The libpng packages contain a library of functions for creating andmanipulating PNG (Portable Network Graphics) image format files.A flaw was discovered in libpng that could result in libpng tryingto free() random memory if certain, unlikely error conditionsoccurred. If a carefully-crafted PNG file was loaded by anapplication linked against libpng, it could cause the applicationto crash or, potentially, execute arbitrary code with theprivileges of the user running the application.A flaw was discovered in the way libpng handled PNG imagescontaining "unknown" chunks. If an application linked against libpngattempted to process a malformed, unknown chunk in a malicious PNGimage, it could cause the application to crash.The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the names CVE-2009-0040 and CVE-2008-1382 to theseissues.The VMware version number of libpng after applying the update islibpng-1.0.14-12.i386.rpm.The following table lists what action remediates the vulnerability(column 4) if a solution is available.